berbew | b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
Size

88KB
MD5

ef970a280cf91dd7892ac12a07846f62
SHA1

d52ec693e6126c42aeb48bd017e8f379b1255552
SHA256

b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad
SHA512

cca1b46751946396e5fb5c9ed7efc80a5153d7db80fd8e57fda8059373ef4ac3c122ee75ce6c6b881d63f72093e43fbc539e54ff465615e67bb08a6475bc8cdc
SSDEEP

1536:c7Udlqx79SbULKEiipDv2MWbgkmvWUTCL2Ge++x/:UUPqx792SBySGe++9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 12 IoCs

pid	Process
2712	Kdnkdmec.exe
2136	Kjhcag32.exe
2952	Kmfpmc32.exe
2676	Kablnadm.exe
796	Kkjpggkn.exe
2440	Kdbepm32.exe
628	Kfaalh32.exe
2436	Kageia32.exe
1088	Kdeaelok.exe
1364	Libjncnc.exe
1052	Llpfjomf.exe
1040	Lbjofi32.exe

Loads dropped DLL 28 IoCs

pid	Process
2652	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
2652	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
2712	Kdnkdmec.exe
2712	Kdnkdmec.exe
2136	Kjhcag32.exe
2136	Kjhcag32.exe
2952	Kmfpmc32.exe
2952	Kmfpmc32.exe
2676	Kablnadm.exe
2676	Kablnadm.exe
796	Kkjpggkn.exe
796	Kkjpggkn.exe
2440	Kdbepm32.exe
2440	Kdbepm32.exe
628	Kfaalh32.exe
628	Kfaalh32.exe
2436	Kageia32.exe
2436	Kageia32.exe
1088	Kdeaelok.exe
1088	Kdeaelok.exe
1364	Libjncnc.exe
1364	Libjncnc.exe
1052	Llpfjomf.exe
1052	Llpfjomf.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmfpmc32.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Llpfjomf.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kablnadm.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Llpfjomf.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kageia32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Phblkn32.dll	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Llpfjomf.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kdeaelok.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	1040	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2712	2652	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe	30
PID 2652 wrote to memory of 2712	2652	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe	30
PID 2652 wrote to memory of 2712	2652	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe	30
PID 2652 wrote to memory of 2712	2652	b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe	30
PID 2712 wrote to memory of 2136	2712	Kdnkdmec.exe	31
PID 2712 wrote to memory of 2136	2712	Kdnkdmec.exe	31
PID 2712 wrote to memory of 2136	2712	Kdnkdmec.exe	31
PID 2712 wrote to memory of 2136	2712	Kdnkdmec.exe	31
PID 2136 wrote to memory of 2952	2136	Kjhcag32.exe	32
PID 2136 wrote to memory of 2952	2136	Kjhcag32.exe	32
PID 2136 wrote to memory of 2952	2136	Kjhcag32.exe	32
PID 2136 wrote to memory of 2952	2136	Kjhcag32.exe	32
PID 2952 wrote to memory of 2676	2952	Kmfpmc32.exe	33
PID 2952 wrote to memory of 2676	2952	Kmfpmc32.exe	33
PID 2952 wrote to memory of 2676	2952	Kmfpmc32.exe	33
PID 2952 wrote to memory of 2676	2952	Kmfpmc32.exe	33
PID 2676 wrote to memory of 796	2676	Kablnadm.exe	34
PID 2676 wrote to memory of 796	2676	Kablnadm.exe	34
PID 2676 wrote to memory of 796	2676	Kablnadm.exe	34
PID 2676 wrote to memory of 796	2676	Kablnadm.exe	34
PID 796 wrote to memory of 2440	796	Kkjpggkn.exe	35
PID 796 wrote to memory of 2440	796	Kkjpggkn.exe	35
PID 796 wrote to memory of 2440	796	Kkjpggkn.exe	35
PID 796 wrote to memory of 2440	796	Kkjpggkn.exe	35
PID 2440 wrote to memory of 628	2440	Kdbepm32.exe	36
PID 2440 wrote to memory of 628	2440	Kdbepm32.exe	36
PID 2440 wrote to memory of 628	2440	Kdbepm32.exe	36
PID 2440 wrote to memory of 628	2440	Kdbepm32.exe	36
PID 628 wrote to memory of 2436	628	Kfaalh32.exe	37
PID 628 wrote to memory of 2436	628	Kfaalh32.exe	37
PID 628 wrote to memory of 2436	628	Kfaalh32.exe	37
PID 628 wrote to memory of 2436	628	Kfaalh32.exe	37
PID 2436 wrote to memory of 1088	2436	Kageia32.exe	38
PID 2436 wrote to memory of 1088	2436	Kageia32.exe	38
PID 2436 wrote to memory of 1088	2436	Kageia32.exe	38
PID 2436 wrote to memory of 1088	2436	Kageia32.exe	38
PID 1088 wrote to memory of 1364	1088	Kdeaelok.exe	39
PID 1088 wrote to memory of 1364	1088	Kdeaelok.exe	39
PID 1088 wrote to memory of 1364	1088	Kdeaelok.exe	39
PID 1088 wrote to memory of 1364	1088	Kdeaelok.exe	39
PID 1364 wrote to memory of 1052	1364	Libjncnc.exe	40
PID 1364 wrote to memory of 1052	1364	Libjncnc.exe	40
PID 1364 wrote to memory of 1052	1364	Libjncnc.exe	40
PID 1364 wrote to memory of 1052	1364	Libjncnc.exe	40
PID 1052 wrote to memory of 1040	1052	Llpfjomf.exe	41
PID 1052 wrote to memory of 1040	1052	Llpfjomf.exe	41
PID 1052 wrote to memory of 1040	1052	Llpfjomf.exe	41
PID 1052 wrote to memory of 1040	1052	Llpfjomf.exe	41
PID 1040 wrote to memory of 2044	1040	Lbjofi32.exe	42
PID 1040 wrote to memory of 2044	1040	Lbjofi32.exe	42
PID 1040 wrote to memory of 2044	1040	Lbjofi32.exe	42
PID 1040 wrote to memory of 2044	1040	Lbjofi32.exe	42

C:\Users\Admin\AppData\Local\Temp\b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe
"C:\Users\Admin\AppData\Local\Temp\b7f6bb6266d67ac65eb4b6ce147a1de3fc5d61fc242c47f68a5dcd438ffad3ad.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\Kdnkdmec.exe
  C:\Windows\system32\Kdnkdmec.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\Kjhcag32.exe
    C:\Windows\system32\Kjhcag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\Kmfpmc32.exe
      C:\Windows\system32\Kmfpmc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hlekjpbi.dll

Filesize
7KB

MD5
5e59c5107101952437226e89aebb2e23

SHA1
e587f3f64110fc42839328377c0286e93082b093

SHA256
e46204af4acf81246ea8c7ba987597845b9466a2969c569397b529ff68b799f3

SHA512
092897ee735cf0960eac17864f79d5bb57c597d89ad1cb68ac5523ab8c5619e53f47582c2e702b6acff160995ebab43d648abcff8042da60a7b6dea821e0f42b

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
88KB

MD5
2cdee82d5f049ee2640d7105843a2706

SHA1
33d2fd40dc8782c30a34859af2b2610c4ca216a8

SHA256
1b75ac14bedea72d2e9b7e953081dbc0cb1e2ba21c53851cc53fd9edd52068e4

SHA512
66381361b4691ec9e16f40fc284187811640c8456eeae17a8da5f0bd34926cc9ddcef5b0e6aaef6321d3d1e60d364ab7de9d15697b4ae0956511611f183a9b1a

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
88KB

MD5
1a99f49ec13760b9c4b8ba37274b6475

SHA1
4fec4b5a4d3572f47a33254d9482747eec352f6b

SHA256
d2c6232e4b6c5d461f838ed0294a5b5c2292153c8f28c9f340d3bd009ba4f26a

SHA512
8a99a65331a17a8dff89ba2126b8506abba3f3a2c189d8ad61da9b65e4359a883b0268fe9304aa90d72e2839d7fdae437824c2cb6b13435292b1e6413b6c1e1f

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
88KB

MD5
7508be44fb21d83431c0c5a66a898069

SHA1
8604bab9dfe449342b10decdba286af1168b1bde

SHA256
b981e3f528d8bdf147793f558ae589c7ecb1db86c69f067ba8b25ee64a00071f

SHA512
50f62ddc176a8ad6cf7297c7b4e565da58bd1ced341c788e3b3fd8ea71cea5af8afd651d273727714e3b9139e9db9ea5ec12d84aac0e4272988cf3ecbbe05155

Download Submit
\Windows\SysWOW64\Kablnadm.exe

Filesize
88KB

MD5
bfc2b986b7bb6bcd2db948c9cba421e8

SHA1
cc8c01f316a4e83bfc858a705854d7ecd8b679e6

SHA256
b9008c043631762e82bd5f59acf813f696bab16ab4d64be7b0163f0df4501501

SHA512
baa4c7a67f5d975c3cd447f0a33c4c9bb7cad8ffca59834b0f8a8711a5f60f2283c4876376ef186a866ed251665a2692eb5da44aecc24af9e628821a950c7a42

Download Submit
\Windows\SysWOW64\Kageia32.exe

Filesize
88KB

MD5
d7aa416a5408d6aeda133d75b908fd94

SHA1
719e5b1e25b550d4fd5ad5ab4bbca4609391df84

SHA256
585719e73e30290b72d16da601268e1a77c1273363ce693b298806f25e7119b2

SHA512
f11259055b694df1fc6d6b8c3eff8fcd44d30dfc1e41fbc4e0b86194af26b28abaf15e47f5930adbe495435215a31967d2d9ae922b13c9b6f0999ad77cea3f5b

Download Submit
\Windows\SysWOW64\Kdbepm32.exe

Filesize
88KB

MD5
e67604c2719ebbefc35aab28f5c7cb2f

SHA1
77f002d5d51b5170cba1d6be92a40ec880ae14e7

SHA256
6af3e624e6d5ad0f99007efa2c7685d22774992b4e230f10054a8f79aca5364b

SHA512
ba4a5139aac31e4972e3f96ca1f2588962d3c07a80bbf23a787787f46a61e3aa2012653edfbbab595ce46f73a86b6b0005dcfaa44dbb5d3d6297f9636f3a3663

Download Submit
\Windows\SysWOW64\Kdeaelok.exe

Filesize
88KB

MD5
64fbb143dbb8f2c3bd6ef24edc652755

SHA1
42ea83a339036ae8abe96db6f7d8246a2c21e533

SHA256
a7a013cc7fe1f5f2d727315064c25f3777c6705da555df096e0f7d2b2e2ee87c

SHA512
142d4ffa48a352aebb34220c7f11cd9361254e07e3ca98572537b91a58f3a328760e4e49c4879a8943b970cd2287fb23095d9d7a2bd87e4ffb0902b4f35f3a93

Download Submit
\Windows\SysWOW64\Kfaalh32.exe

Filesize
88KB

MD5
fb541f7163c68c9e6ac8ad91c9be23ea

SHA1
2230684d488cc7a0c687be515afe30371100540d

SHA256
0f87596e8bf619447261eed523b525fc0abdd9bad8f56e92f2cd38d3f0a36aba

SHA512
49acc7a16c7b03b63e5309c868c1cf3acb095f2b0c5f82b415d5e7c21016ca577483f897d64358d78c89d33e5cd8f1a00c7cb04933825de426763456595e211d

Download Submit
\Windows\SysWOW64\Kkjpggkn.exe

Filesize
88KB

MD5
4de887e7a0527a0850f6424c925185a6

SHA1
75f353634e534c59d873096adcc74b09661acf6a

SHA256
8757fac376bda1d29b0852dfdb18a5f30d01f86de1575f1ff0e31f920af6a393

SHA512
85af25a9f3d63d61e11ec2d51c09e8105ccd57f3baab6f4f0be0702f38c98746b80943276e7f239062e6f20e45de2ae8b92a124a9f80e10db2174b93c68c49ca

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
88KB

MD5
a968adc55784c64c4ed24f695dc58541

SHA1
eff81d4e6156f6fa3788cd4b78f3d32fe2aa0fa0

SHA256
df4ac7604d4b119d25616f25949da2a64e92589fc8f71ac9b982115fbfcb3d0c

SHA512
15c8b0ed44d296e34f05108f9e9b942c62e51a0311968d5b81c22a5ae5bfbdf9d3470b02db7d1a333c66223cf9b2096103b75b6c02fb800772130f816790f530

Download Submit
\Windows\SysWOW64\Libjncnc.exe

Filesize
88KB

MD5
bbcfbeb7f1e8a8a20c33a7b7dc745d42

SHA1
8ba2e2aa892d717a07940b903bce70b56cd23614

SHA256
0f90527a03306b46d8da995ec274e974132ebb8d1dbef134f822790283bacfce

SHA512
5d2da962a4a83823c5e8d88dfd18c9c56108cb894ebb2394eb88208f8ed9ad9535131807cff43168619c2312326fadebc8e15bd869a7b0d9b4a3bd693c45dd88

Download Submit
\Windows\SysWOW64\Llpfjomf.exe

Filesize
88KB

MD5
b66e88ee90973092fb71efdb0b16647b

SHA1
39b7f0ed4aa2d68fde61bc31ed949d24c606faf7

SHA256
0b8ab6a010569df7bbe890ff44179a9a05733d5aaf86c55baf088a5d92cc529d

SHA512
fbe7ba7763ef4d0d48d20db9ae11ea4d11b749dc2bbce9a11ae42bb4459054208da376ee2c269367f48eb51e51c17deda8b98bf018d969636042fef1c8f343e6

Download Submit
memory/628-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/796-81-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/796-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/796-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1088-122-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1088-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-166-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-169-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2440-83-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2440-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-174-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-30-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2652-29-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2676-67-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2676-173-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-68-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2712-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-32-0x0000000000320000-0x0000000000356000-memory.dmp

Filesize
216KB

Download
memory/2952-53-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2952-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads